2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303

Analysis

max time kernel
149s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12-09-2024 20:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
Size

48KB
MD5

1c6454eae1b9c041d41332fc9c27de92
SHA1

277388dc0c7b76f2a20dd01467f1b53e1059dc58
SHA256

2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303
SHA512

8079b8ccd9690c9c404611b5bb9391cadba27b56ea99f4221015b61839c150e124e905e01d86272ad85cb54621cac33ac372b3a54922a12ef10457026e8605e0
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJ1EXBwzEXBwdcMcI98j:V7Zf/FAxTWoJJ7Ta

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (5202) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4020-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x0009000000023466-2.dat	upx
behavioral2/files/0x0014000000022912-6.dat	upx
behavioral2/memory/4020-920-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-ul-oob.xrm-ms.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\msvcr120.dll.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\TITLE.XSL.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\BOOKOSB.TTF.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Forms.Primitives.resources.dll.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-processthreads-l1-1-0.dll.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql120.xsl.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-utility-l1-1-0.dll.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Microsoft Office\root\Office16\VCCORLIB140_APP.DLL.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.office32mui.msi.16.en-us.xml.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ul-phn.xrm-ms.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Grace-ppd.xrm-ms.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_Subscription-pl.xrm-ms.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\no\msipc.dll.mui.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages.properties.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-pl.xrm-ms.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-pl.xrm-ms.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-80.png.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clretwrc.dll.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ppd.xrm-ms.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\+NewSQLServerConnection.odc.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee100.tlb.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri-Cambria.xml.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ul-phn.xrm-ms.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ul-phn.xrm-ms.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1036\MSO.ACL.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\zlibwapi.dll.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\libGLESv2.dll.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-pl.xrm-ms.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\PresentationUI.resources.dll.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\PresentationUI.resources.dll.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Java\jre-1.8\bin\WindowsAccessBridge-64.dll.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ul-oob.xrm-ms.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\mshwLatin.dll.mui.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\dotnet\host\fxr\7.0.16\hostfxr.dll.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\shaded.dotx.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\7-Zip\Lang\hy.txt.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.NETCore.App.runtimeconfig.json.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Java\jre-1.8\lib\jfxswt.jar.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\BLANK.ONE.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-CA\tipresx.dll.mui.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-pl.xrm-ms.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Microsoft Office\root\Office16\3082\MSO.ACL.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\TabTip.exe.mui.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\msinfo32.exe.mui.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\id.pak.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_fr.properties.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GADUGI.TTF.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\PresentationCore.resources.dll.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\PresentationUI.resources.dll.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\PersonalMonthlyBudget.xltx.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-100.png.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOHEVI.DLL.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL117.XML.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\tipresx.dll.mui.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\xerces.md.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemXml.dll.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\lt.pak.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe

C:\Users\Admin\AppData\Local\Temp\2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
"C:\Users\Admin\AppData\Local\Temp\2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-786284298-625481688-3210388970-1000\desktop.ini.tmp

Filesize
48KB

MD5
ac623e5d78319abfbd8a60e4b92abfbd

SHA1
e7c2285b9b2bdeeaaad31e9b6aedc92e16e09b5d

SHA256
a9232c94f1f454e4e3de530ddd77f28bd7efa601821f19b795629c37009b918e

SHA512
747f57774208ab5f96f84fe69d42903e5b96279688c0da33554b52a03e2ece2ff759c115eeab46d846253905646fe989b0e2b0f9bb03057bf4d8847bedece3ed

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
147KB

MD5
c417c32f713d8af346f12a4d0f2e40a3

SHA1
cd239e9957c9a587502638ccbb9053ec76ffddd0

SHA256
a80ed950f5868e5c09836bca5bf93d1fe11708a61a9f5a05052f8dcf49b5a344

SHA512
f7916b4313aba358065328203b698723bc327373702ce038d47c5a404423729fef0bc909b2522e5ef49775f75248d4eef3ce0d1d2802224d172d1735982ad31f

Download Submit
memory/4020-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4020-920-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download